From 9fbc523ffd26fd78acdded9d0944470a8fd0ad5d Mon Sep 17 00:00:00 2001 From: Thomas Gelf Date: Fri, 25 Aug 2017 12:33:36 +0200 Subject: [PATCH] ConfigController: explicitly forbid all REST API ...calls to methods not being exported. fixes #1113 --- application/controllers/ConfigController.php | 37 +++++++++++++++++++ .../Web/Controller/Extension/RestApi.php | 10 +++++ 2 files changed, 47 insertions(+) diff --git a/application/controllers/ConfigController.php b/application/controllers/ConfigController.php index fbeef6bf..c97a74e5 100644 --- a/application/controllers/ConfigController.php +++ b/application/controllers/ConfigController.php @@ -3,6 +3,8 @@ namespace Icinga\Module\Director\Controllers; use Icinga\Data\Filter\Filter; +use Icinga\Exception\IcingaException; +use Icinga\Exception\NotFoundError; use Icinga\Module\Director\ConfigDiff; use Icinga\Module\Director\Forms\DeployConfigForm; use Icinga\Module\Director\Forms\SettingsForm; @@ -37,6 +39,9 @@ class ConfigController extends ActionController public function deploymentsAction() { + if ($this->sendNotFoundForRestApi()) { + return; + } $this->assertPermission('director/deploy'); $this->addTitle($this->translate('Deployments')); try { @@ -74,6 +79,17 @@ class ConfigController extends ActionController public function deployAction() { + $request = $this->getRequest(); + if (! $request->isApiRequest()) { + throw new NotFoundError('Not found'); + } + + if (! $request->isPost()) { + throw new IcingaException( + 'Unsupported method: %s', + $request->getMethod() + ); + } $this->assertPermission('director/deploy'); // TODO: require POST @@ -100,6 +116,9 @@ class ConfigController extends ActionController public function activitiesAction() { + if ($this->sendNotFoundForRestApi()) { + return; + } $this->assertPermission('director/audit'); $this->setAutorefreshInterval(10); @@ -142,6 +161,9 @@ class ConfigController extends ActionController public function activityAction() { + if ($this->sendNotFoundForRestApi()) { + return; + } $this->assertPermission('director/showconfig'); $p = $this->params; $info = new ActivityLogInfo( @@ -163,6 +185,9 @@ class ConfigController extends ActionController public function settingsAction() { + if ($this->sendNotFoundForRestApi()) { + return; + } $this->assertPermission('director/admin'); $this->addSingleTab($this->translate('Settings')) @@ -179,6 +204,9 @@ class ConfigController extends ActionController */ public function filesAction() { + if ($this->sendNotFoundForRestApi()) { + return; + } $this->assertPermission('director/showconfig'); $config = IcingaConfig::load( Util::hex2binary($this->params->getRequired('checksum')), @@ -219,6 +247,9 @@ class ConfigController extends ActionController */ public function fileAction() { + if ($this->sendNotFoundForRestApi()) { + return; + } $this->assertPermission('director/showconfig'); $filename = $this->params->getRequired('file_path'); $this->configTabs()->add('file', array( @@ -258,6 +289,9 @@ class ConfigController extends ActionController public function diffAction() { + if ($this->sendNotFoundForRestApi()) { + return; + } $this->assertPermission('director/showconfig'); $db = $this->db(); @@ -302,6 +336,9 @@ class ConfigController extends ActionController public function filediffAction() { + if ($this->sendNotFoundForRestApi()) { + return; + } $this->assertPermission('director/showconfig'); $p = $this->params; diff --git a/library/Director/Web/Controller/Extension/RestApi.php b/library/Director/Web/Controller/Extension/RestApi.php index f0595597..1aa1587f 100644 --- a/library/Director/Web/Controller/Extension/RestApi.php +++ b/library/Director/Web/Controller/Extension/RestApi.php @@ -17,6 +17,16 @@ trait RestApi } } + protected function sendNotFoundForRestApi() + { + if ($this->getRequest()->isApiRequest()) { + $this->sendJsonError($this->getResponse(), 'Not found', 404); + return true; + } else { + return false; + } + } + protected function assertApiPermission() { if (! $this->hasPermission('director/api')) {